JP2008250680A - Security requirement analysis support device and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform support such that even a nonexpert can efficiently perform security analysis of a level equivalent to an expert at low cost when creating a system requirement definition considering security. <P>SOLUTION: Information wherein a domain and a related term are associated and information of a term equivalent to the term related to the domain are held inside a common term DB, and it is analogized that the domain having the most number of the terms included in each element that is a node of a goal model or the most number of the included terms equivalent to the term is the domain to which the goal model belongs. When reading an attacker model corresponding to the analogized domain from an attack DB, an unnecessary attacker model candidate is deleted in reference to a task already described inside the presently creating goal model, an attacker model candidate wherein an unnecessary model portion is deleted from the attacker model candidate is created and displayed, and a user is made to select whether it is necessary or not. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a security requirement analysis support apparatus and a computer program.

  The development process of a computer system generally has a flow of requirements definition, design, manufacturing, and testing. In the development process, it is effective to clearly define the requirement definition in order to proceed smoothly with minimal rework and improve the quality of the system. One of the conventional methods used to analyze the requirements of the development target system, that is, to analyze the functions required for the development target system is goal-oriented requirement analysis. Star).

  FIG. 13 shows an analysis example using i *. In i *, the “actor” is an entity that has an interest and responsibility for achieving the goal, etc. (in the model, the responsibility area of the actor is indicated by a circular actor boundary). “Goal”, “Soft Goal” that cannot be clearly determined whether or not it is achieved (generally having a degree of achievement from 0 to 1), “Task” that is a procedure to achieve the goal, for goal achievement and task execution The request is made visible by describing the physical entity used in the process or an element such as “resource” as information as a node and describing the dependency relationship between these nodes as a diagram. As a result, it is possible to analyze the required functions while looking over the stakeholder's interests and dependencies as a whole, and therefore, it is easy for humans to understand and enables efficient analysis.

  In recent years, in i *, an extended method has been proposed to analyze security-related requirements (see, for example, Non-Patent Document 1). In the method described in Non-Patent Document 1, in addition to normal stakeholders to be considered, an attacker's stakeholder is considered, and the attacker's malicious objectives are extracted to make it impossible to achieve those objectives. Add objectives or tasks to normal stakeholders to reduce or mitigate. As a result, it is possible to perform requirements analysis in consideration of security.

  FIG. 14 is a diagram showing a normal i * process and a process extended by Non-Patent Document 1. FIGS. 15 and 16 show a goal model generated by the process extended by Non-Patent Document 1. It is an example. As shown in FIG. 14, in the normal i * process, first, an actor is specified (step S910). Then, after analyzing the dependency relationship between the specified actors and creating a strategy dependency model (step S912), a goal and a task are specified (step S914). Subsequently, a strategy principle model is created by analyzing the dependency relationship in the actor and comparing and evaluating the goal (step S916), and further, the dependency relationship between nodes is specified (step S918). The process of S912 to S918 is appropriately repeated partially or entirely to create a goal model.

In the expansion process, an attacker is identified and an attacker model is generated (steps S920 and S922). Here, attackers are identified as actors, but all actors in the domain model are considered as potential attackers (eg, malicious users, maliciously modified devices). This attacker has the same goals, tasks and resources as the corresponding domain model actor.
Next, the malicious intention of the actor is specified, and a malicious model is generated (steps S924 and S926). In other words, in addition to the elements of the domain model, malicious intention is specified as the goal of the attacker.
Subsequently, the vulnerability is analyzed and a vulnerability model is generated (steps S928 and S930). In the analysis of vulnerabilities, the elements that can be affected by the attack are identified, but elements that receive negative contributions from malicious goals and tasks, and elements that depend on malicious goals and tasks are considered vulnerable. To do.

  As shown in FIG. 15, the attacker is identified, the malicious intention of the attacker is identified, a malicious model is generated, and the vulnerability model is generated from the possibility of being attacked by the malicious intention. An attack method that makes a difference is identified and an attack method model is created (steps S932 and S934). That is, the attack method is specified as a task that is a means for achieving malicious intent. Further, elements of the domain model (ordinary i * model) may be used (“abuse”).

  When the attack method model is created, a countermeasure against the attack is identified and a countermeasure model is generated as shown in FIG. 16 (steps S936 and S938). That is, returning to the original domain model, a soft goal “I want to counter the attack” is set for each identified attack method. Or, more specifically, it is preferable to set a goal such as “I want to avoid an attack” or “I want to detect an attack”. Then, measures are identified as tasks that have a positive contribution to these soft goals.

On the other hand, when creating a new specification, there is a security design support device that can improve the efficiency of the entire editing work by using a pre-database that stores existing specification examples (for example, Patent Document 1). reference).
JP 2004-220459 A Liu et al., “Security and Privacy Requirements Analysis within a Social Setting”, 11th IEEE International Conference on Requirements Engineering (RE'03), 2003, pp.151-161.

  Non-Patent Document 1 discloses an extended method for analyzing security requirements, but this shows only an artificial analysis procedure. Therefore, the reliability (coverability and validity) of the analysis results is determined by the attacker (step S920), malicious (step S924), and attack method (step S932) that the analyst should consider in the domain to be analyzed. It depends on whether it can be found without omission (FIG. 15). However, whether or not they can be discovered without fail depends on the security knowledge of the analyst, knowledge of the target domain, skill of analysis, and the like. Therefore, it has been difficult for analysts who do not have such knowledge and experience to effectively utilize this method and perform highly accurate analysis. Therefore, even a non-experienced person in security requirement analysis is required to be able to perform highly accurate analysis close to the skilled person.

  In addition, elements (goals, tasks, resources) may be duplicated or contradicted during the goal model creation process. FIG. 17 is a diagram illustrating an example in which redundant elements are included. In the figure, the malicious goal G1 is achieved when both of the subgoals SG1 and SG2 hold. However, the subgoal SG2 cannot be achieved because the task T1 “Take a log that cannot be deleted” that makes the subgoal SG2 “delete operation log” impossible is already present in the goal model. The malicious goal G1 is formed by the AND condition of the subgoals SG1 and SG2, and if the subgoal SG1 is not achieved, the higher-order goal G1 is not achieved. Conventionally, there is no means for automatically verifying such overlapping or contradiction of elements during the creation of an analysis diagram, so it has been necessary to confirm it visually by humans. This was costly and could be overlooked as the model became more complex.

  Therefore, in Patent Document 1, the duplication and contradiction of requirement definitions are inferred based on the inclusion relation of attributes. An example in which duplication is estimated by this technique will be described. For example, “threat A: privileged user alters important data (attributes: <attacker / factor> administrator, <protected asset> information, <threat type / attack method> all alterations”), “threat B: An outsourcer with administrator authority alters important customer information (attributes: <attacker / factor> outsource administrator, <protected asset> customer information, <threat type / attack method> all alterations) " Suppose there was. Further, it is assumed that the manager includes an outsource manager and an internal manager. In this case, threat A and threat B have a hierarchical (inclusion) relationship in both attributes of the actor indicated by <Attack / Factor> and the information asset indicated by <Protected Asset> (Administrator / Outsource Management) Since the attack method attributes indicated by <Person, Information> Customer Information) and <Threat Type / Attack Method> match, it is determined that threat A and threat B may overlap.

  An example in the case of inferring contradiction will be described. For example, “Prerequisite A: The system administrator shall not abuse privileges. (Attributes: <Attack / Factor> Administrator, <Protected Asset> All, <Threat Type / Attack Method> All”) “Threat B: Outsourcer with administrator authority alters important customer information. (Attributes: <Attack / Factor> Outsource Administrator, <Protected Asset> Customer Information, <Threat Type / Attack Method>” Falsification) ”. In addition, it is defined that the manager includes an outsource manager and an internal manager. In this case, since the precondition A and the threat B have a hierarchical (inclusion) relationship in the participant attribute indicated by <Attack / Factor>, it is analogized that the precondition A and the threat B may conflict. .

As described above, in the technique of Patent Document 1, some attributes are assigned to the requirements and managed, and duplication / inconsistency is inferred based on the inclusion relation of the attributes. Since the elements must be compared, there is a problem that the processing cost is high. For example, for n elements, (n-1) ^two comparisons must be made. In addition, there is a problem that the reliability of the analogy result is low because it has only a simple criterion of inclusion of sets.

  The present invention has been made in view of such circumstances, and when analyzing a system requirement definition considering security, even a non-skilled person can efficiently perform security analysis at the same level as a skilled person. Furthermore, it is an object of the present invention to provide a security requirement analysis support apparatus and a computer program that can be supported at a low cost.

  In order to solve the above-described problems, the present invention provides security to a goal model including a goal to be achieved by a development system and one or more of goals or tasks or resources for achieving the goal as elements. A security requirement analysis support device that supports security analysis by presenting threatening attacker model candidates, and stores goal model data indicating information on elements constituting the goal model and dependencies between the elements For conflict or duplication with the goal model information storage unit to be used, the element for achieving the malicious goal, which is the goal targeted by the malicious attacker, and the attacker model indicated by the dependency between the elements The attacker model data consisting of information about the elements that are not established simultaneously with the elements that make up the attacker model An attack database stored in correspondence with the in-line, a database input / output unit that reads out attacker model data corresponding to information of a domain to which the goal model belongs, and an attacker model data read out by the database input / output unit Based on the information on the elements that are not established simultaneously and the information on the elements indicated by the goal model data in the goal model information storage unit, the elements indicated by the goal model data are simultaneously established from the attacker model data. When attacker model data that contains elements that are not included is identified, and the elements that do not hold simultaneously are deleted from the information about the elements indicated by the identified attacker model data and the dependencies between the elements, malicious It is also malicious when judging whether or not the goal is achieved and deleting the elements that are not established simultaneously If the rule is achieved, the attacker model data is deleted from the attacker model indicated by the attacker model data, and the elements that are not established simultaneously are deleted. The attacker model information generation unit that changes to indicate a new attacker model, and the attack that has been determined by the attacker model information generation unit as not to contain an element that does not coincide with the element indicated by the goal model data And a goal model information control unit for instructing to display the attacker model data and the attacker model indicated by the changed attacker model data.

  In addition, the present invention is the security requirement analysis support apparatus described above, further comprising a common term database that stores information on words corresponding to domains and similar words of the words, and includes elements of the goal model data. The information includes description information indicating the description of the element, and the attacker model information generation unit is used for description of the element from the information of the element indicated by the goal model data in the goal model information storage unit A word is extracted, and the database input / output unit is a domain to which a word extracted by the attacker model information generation unit and a similar word of the extracted word are associated as a domain to which the goal model belongs Is read from the common term database.

  Further, the present invention is the security requirement analysis support apparatus described above, wherein the attack database includes element information that cannot be simultaneously established including at least information of a description indicating an element that is not simultaneously established with an element included in the attacker model. And further comprising a common term database for storing synonyms of phrases included in the description of elements that are not simultaneously established with elements included in the attacker model, wherein the database input / output unit includes: The synonym information of the phrase used in the description of the element indicated by the goal model data is read from the common term database, the element data that cannot be simultaneously established is read from the attack database, and the attacker model information generating unit is , Not synonymous with synonym information read by the database input / output unit In response to the input of raw data, among the non-simultaneous simultaneous element data, the simultaneous synonym non-capable element data including the synonym included in the description is identified, and the identified simultaneous unsatisfiable element is selected from the attacker model candidate group Determining that the attacker model data including the data of the elements that are not simultaneously established indicated by is the attacker model data including the elements that are not simultaneously established with the elements indicated by the goal model data; It is characterized by.

  Further, the present invention is the security requirement analysis support device described above, wherein the goal model information storage unit is selected by a user from attacker model data whose output is instructed by the goal model information control unit. The attacker model data is stored, and the attacker model information generation unit, when an element is added to the goal model, the simultaneous establishment indicated by the attacker model data stored in the goal model information storage unit Based on the information of the elements that are not included, the attacker model data that contains the data of the elements that are not simultaneously established with the newly added elements is identified, and the elements indicated by the identified attacker model data are It is judged from the information with the dependency relationship of whether or not the malicious goal is achieved when the elements that are not simultaneously established are deleted, and the malicious goal is achieved. If not, the attacker model data is deleted from the goal model information storage unit, and when the malicious goal is achieved even when the elements that are not simultaneously established are deleted, the identified attacker model data is The goal model information control is performed by deleting the element that is not simultaneously established from the attacker model indicated by the attacker model data, and changing to indicate a new attacker model from which the element that is not established when the element is deleted. The unit deletes the attacker model indicated by the attacker model data deleted by the attacker model information generation unit from the display, and also displays a new indication of the attacker model data after the change of the display of the attacker model before the change. It is characterized by instructing to change to the display of a simple attacker model.

  In addition, the present invention provides a model of an attacker who threatens security in a goal model that includes, as elements, a goal to be achieved by the development system and a goal or task for achieving the goal, or one or more of resources. Goal model information for storing goal model data indicating information on elements constituting the goal model and dependencies between the elements, using a computer used as a security requirement analysis support apparatus for supporting security analysis by presenting candidates The memory unit, the elements for achieving the malicious goal, which is the goal that the malicious attacker is aiming for, and the attacker model indicated by the dependency between the elements, and the attacker model for contradiction or duplication Attacker model data consisting of information about elements that do not hold simultaneously with constituent elements The attack database stored in correspondence with the in-line, the database input / output unit for reading the attacker model data corresponding to the information of the domain to which the goal model belongs, from the attack database, the attacker model data read by the database input / output unit Based on the information of the elements that are not established simultaneously and the information of the elements indicated by the goal model data in the goal model information storage unit, the elements that are not established simultaneously with the elements indicated by the goal model data from the attacker model data The malicious goal is determined when the elements that are not simultaneously established are deleted from the information of the elements indicated by the identified attacker model data and the dependency relationship between the elements. Judgment is also made when it is determined whether it is achieved and the elements that are not simultaneously established are deleted. Is achieved, the attacker model data is deleted from the attacker model indicated by the attacker model data, and the new element is deleted. An attacker model information generation unit that changes to indicate an attacker model, and the attacker model data determined by the attacker model information generation unit as not including an element that is not simultaneously established with the element indicated by the goal model data And a goal model information control unit that instructs to display the attacker model indicated by the changed attacker model data.

  According to the present invention, there is an effect that in the security requirement analysis, there is an increased possibility of finding an attack that is easily forgotten. At this time, unnecessary analysis is removed, so that analysis efficiency is increased. In addition, duplication and contradiction of elements can be verified in the goal model creation process. As a result, the reliability (coverage and validity) of security-related requirements analysis is enhanced, and even a novice can easily support security requirements analysis. Further, since it is not necessary to compare all combinations of elements constituting the goal model, it is possible to reduce the processing cost.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
FIG. 1 is a diagram for explaining an outline of the operation of the security requirement analysis support apparatus 10 according to an embodiment of the present invention.
First, the security requirement analysis support device 10 analyzes the analysis diagram of the goal-oriented requirement analysis created by the analyst, that is, the phrase used in the goal model and the relationship between the phrase and the domain, and analyzes it now. Estimate the target domain. That is, the common term database 30 (hereinafter referred to as “DB”) holds information in which a domain and a phrase related to the domain are associated with each other and information on synonyms of the phrase related to the domain. Keep it. Then, the domain having the largest number of words and phrases that are included in each element that is a node of the goal model and the synonyms of the words is analogized as the domain to which the goal model currently being created belongs.

  Next, the security requirement analysis support apparatus 10 reads out an attacker model corresponding to the analogized domain from the attack DB 40 in which information related to the attacker / malicious goal / vulnerability / attack method assumed for each domain is accumulated. This is the attacker model candidate. Also, all these attacker model candidates are combined into an attacker model candidate group. The security requirement analysis support device 10 refers to a task already described in the currently created goal model, deletes an unnecessary attacker model candidate due to contradiction or duplication, and removes from the attacker model candidate. A new attacker model candidate from which unnecessary model portions are deleted is created, replaced with the current attacker model candidate, and a new attacker model candidate group is created. The security requirement analysis support device 10 displays the attacker model candidates included in the newly created attacker model candidate group on the goal model, and informs the user whether or not these displayed attacker model candidates are necessary. Let them choose. The user adds an element so that the malicious goal of the attacker model selected from the candidates is not achieved, and creates a goal model related to security.

  FIG. 2 shows an outline of the operation shown in FIG. 1, in which the security requirement analysis support device 10 deletes unnecessary attacker model candidates from the attacker model candidate group and deletes unnecessary portions from the attacker model candidates. It is a figure for demonstrating the process outline | summary at the time of creating a simple attacker model candidate and displaying it to a user. The security request analysis support device 10 operates as shown in (Procedure 1) to (Procedure 6) below.

(Procedure 1) First, the security requirement analysis support device 10 reads all sets of attacker models (malicious goal trees) corresponding to the estimated domains from the attack DB 40. Then, the read attacker model is set as an attacker model candidate, and an attacker model candidate group that is a set of these attacker model candidates is generated.
(Procedure 2) The security requirement analysis support apparatus 10 selects an unselected attacker model candidate from the attacker model candidate group generated in (Procedure 1).
(Procedure 3) The security requirement analysis support apparatus 10 determines whether the attacker model selected in (Procedure 2) overlaps or contradicts the elements in the current goal model.
(Procedure 4) If it is determined in (Procedure 3) that there is duplication or contradiction, the deleteable elements are deleted as much as possible in consideration of the AND / OR relationship in the malicious goal tree constituting the attacker model candidate. Then, a new malicious goal tree is created and set as a new attacker model candidate.

For example, in FIG. 2, the malicious goal G1 included in the attacker model candidate is achieved when the AND of the subgoals SG1 and SG2, that is, both the subgoals SG1 and SG2 hold. If the task T1 that makes the subgoal SG2 impossible is already present in the current goal model, the subgoal SG2 is not achieved. The malicious goal G1 is formed by the AND condition of the subgoals SG1 and SG2, and if the subgoal SG1 is not achieved, the higher-order goal G1 is not achieved, so that this attacker model candidate itself is not necessary.
Alternatively, it is assumed that the malicious goal G1 of the attacker model candidate is achieved when the OR of the subgoals SG1 and SG2, that is, one of the subgoals SG1 and SG2 holds. Here, since the task T1 that makes the subgoal SG2 impossible is already present in the current goal model, the subgoal SG2 is not achieved. At this time, a malicious goal tree in which only the subgoal SG2 is deleted is generated as a new attacker model candidate.

(Procedure 5) The security requirement analysis support apparatus 10 displays the new attacker model candidate created in (Procedure 4) in the goal model, and allows the user to select whether or not it is necessary. In the case of an attacker model candidate whose malicious goal tree itself is deleted, nothing is displayed and the process proceeds to (Procedure 6).
(Procedure 6) When (Procedure 3) to (Procedure 5) are performed for all the attacker model candidates in the attacker model candidate group, the process ends, and (Procedure 3) to (Procedure 5) are still performed. If there is an attacker model candidate that has not been received, the processing from (procedure 2) is performed again.

FIG. 3 is a functional block diagram of the security requirement analysis support apparatus 10 according to the embodiment.
In FIG. 1, the security requirement analysis support device 10 is connected to an external storage device 20, a common term DB 30, and an attack DB 40 installed in an external environment. The external storage device 20, the common term DB 30, and the attack DB 40 can each be configured with one or a plurality of servers, for example. The external storage device 20 stores a goal model file that describes goal model data created by goal-oriented requirement analysis. The common term DB 30 stores information such as fixed vocabulary in a specific domain, synonyms and synonyms of the fixed vocabulary. The attack DB 40 stores a malicious goal tree of a typical attack pattern of an attacker for each domain, that is, attacker model data indicating an attacker model.

  The security requirement analysis support apparatus 10 includes a goal model file input / output unit 11, a goal model information storage unit 12, a goal model information control unit 13, an attacker model information generation unit 14, a DB input / output unit 15, and a goal model information display unit 16. The input device 50 is provided.

  The goal model file input / output unit 11 inputs / outputs a goal model file to / from the external storage device 20. The goal model information storage unit 12 stores goal model information that is a goal model file input from the goal model file input / output unit 11 and stores goal model information generated and edited by the goal model information control unit 13. The goal model information control unit 13 reads, updates, and deletes the goal model information stored in the goal model information storage unit 12 and communicates with the attacker model information generation unit 14 to store the attacker model data. Perform input / output.

  The attacker model information generation unit 14 receives the input of the goal model information from the goal model information control unit 13, creates a DB search formula based on the definition data of the nodes constituting the goal model, and sends it to the DB input / output unit 15. In addition to outputting, the result returned from the DB input / output unit 15 is input. The attacker model information generation unit 14 performs a contradiction / duplication verification process with the current goal model for the attacker model candidate group consisting of the attacker models returned from the DB input / output unit 15 as a search result, and creates a new attack. A candidate model candidate group is generated and output to the goal model information control unit 13.

  The DB input / output unit 15 receives an input of the DB search formula from the attacker model information generation unit 14, outputs the DB search formula to the common term DB 30 or the attack DB 40, receives the returned search result, and receives the attacker The search result is output to the model information generation unit 14. The goal model information display unit 16 displays the goal model and the attacker model on an external display device (display or the like). Further, the input device 50 outputs information input from the user by operating a keyboard or a mouse to the goal model information control unit 13.

FIG. 4 shows a functional block diagram in the attacker model information generation unit 14 shown in FIG.
The attacker model information generation unit 14 includes a goal model information input / output unit 14a, a control unit 14b, a lexical extraction unit 14c, and an attack model generation unit 14d.

  The control unit 14b controls the data input / output flow with the goal model information input / output unit 14a, the lexical extraction unit 14c, the attack model generation unit 14d, and the DB input / output unit 15. The goal model information input / output unit 14a receives input of goal model information from the goal model information control unit 13, reads the attacker model candidate generated by the attack model generation unit 14d from the control unit 14b, and controls goal model information control. To the unit 13. The lexical extraction unit 14c receives the input of the goal model information from the control unit 14b, extracts the name of each element (actor, goal, task, etc.) and generates a search expression for the common term DB 30 to the control unit 14b. Output. The attack model generation unit 14d inputs the current goal model information from the control unit 14b, and reads the data of the attacker model corresponding to the goal model information from the DB input / output unit 15. Further, the attack model generation unit 14d inputs information on the current goal model and the attacker model data of the attacker model candidate, and considers an AND / OR relationship to create a new candidate tree (new attacker model candidate). To rebuild).

FIG. 5 is a diagram showing information stored in the external storage device 20.
The external storage device 20 stores the goal model file. The goal model file includes element data indicating information of each element constituting the goal model node. In the element data, an element ID for uniquely identifying the element, an element type indicating whether the element is an actor / goal / soft goal / task / resource, etc., a description indicating an explanation of the name of the element, It includes information such as an actor area, a higher-level association indicating a higher-level element, a lower-level relationship indicating a lower-level element, contradiction or simultaneous duplication. Elements that are contradictory or overlapped at the same time can be indicated by element IDs, but this information need not be set.

  In the case of the goal model shown in the figure, the external storage device 20 stores a plurality of goal model files, and the goal model file includes element data of actors, goals, soft goals, tasks, and resources. The actor name “medical staff” is set in the element data of the actor. In the element data of the goal, the element ID “goal 1”, the element type “goal”, the description “easily manage the medical record”, and the lower relation “AND of goal 2 and goal 3” are set. ID “goal 2”, element type “goal”, description “search at high speed”, upper relation “goal 1 (AND of goal 2 and goal 3)”, lower relation “task 1”, elements There is an ID “goal 3”, element type “goal”, description “search at high speed”, upper relation “goal 1 (AND of goal 2 and goal 3)”, lower relation “task 1”. . The element data of the task includes an element ID “task 1”, an element type “task”, a description “electronically manage”, a higher-level relationship “goal 2, goal 3, soft goal”, and a lower-level relationship “resource 1, resource 2” "Is set. Some soft goal element data are set with an element ID “soft goal 1”, an element type “soft goal”, a description “does not leak information”, and a subordinate “task 1”. In the element data of the resource, the element ID “resource 1”, the element type “resource”, the description “terminal”, the upper relation “task 1” are set, the element ID “resource 2”, the element type “resource” , The description “DB” and the upper relation “task 1” are set.

  FIG. 6 is a diagram illustrating a goal model file stored in the goal model information storage unit 12 of the security requirement analysis support device 10 and output to the external storage device 20 by the goal model file input / output unit 11. In the figure, the goal model information storage unit 12 temporarily holds a goal model file currently being worked on. The goal model file held here has the same data configuration as the goal model file stored in the external storage device 20.

FIG. 7 is a diagram illustrating information stored in the common term DB 30.
In the figure, the common term DB 30 stores a domain name and a phrase (phrase name) corresponding to the domain name in association with each other. Furthermore, the common term DB 30 stores synonym data indicating information in which a plurality of synonymous words are associated with each other, and synonym data indicating information in which a plurality of words having similar meanings are associated with each other. For example, the common term DB 30 stores the phrase name “doctor, patient, medical clerk,...” In association with the domain name “medical domain”. The synonym data includes information such as “medical clerk = medical staff,...”.

FIG. 8 is a diagram illustrating information stored in the attack DB 40.
In the figure, the attack DB 40 stores information in which domain names are associated with attacker model data. The attacker model data includes an attack ID for identifying the attacker model data, information on the name of the attacker, element data of a malicious goal (attacker element) that is an attacker's goal, and a soft goal (attack). Element data of one or more elements such as an attacker soft goal), a task (an attacker task), and a resource (an attacker resource). Furthermore, the attack DB 40 holds element data that is inconsistent with the element indicated by the element data in the attacker model data, or that cannot be simultaneously established, which is element data of an overlapping element.

FIG. 9 shows a specific example of element data included in the attacker model data and element data in which simultaneous establishment is contradictory.
The attacker model candidate shown in the figure is that the malicious goal “goal 1” depends on the AND of the subgoals “goal 2” and “goal 3”, and the subgoal “goal 3” is subgoal “goal 4”. And “Goal 5” OR. Further, the subgoal “goal 3” is inconsistent with the task “task 1” and cannot exist at the same time.

  At this time, the element data of “Goal 1”, which is a malicious goal, includes an element ID “G1”, an element type “Goal”, a description “Goal 1”, an actor area “Malicious medical staff”, and an upper relationship “None”. Subordinate relation “goal 1 = AND (goal 2, goal 3)”, simultaneous establishment contradiction “none”, and simultaneous establishment duplication “none” are set. The element data of “goal 3”, which is a sub-goal of the malicious goal, includes an element ID “G3”, an element type “goal”, a description “goal 3”, an actor area “malicious medical staff”, an upper-related “goal” “1 = AND (goal 2, goal 3)”, lower-level relation “goal 3 = OR (goal 4, goal 5)”, simultaneous establishment contradiction “T1”, and simultaneous establishment duplication “none” are set. “Goal 1 = AND (Goal 2, Goal 3)” means that Goal 1 is achieved when both Goal 2 and Goal 3 are achieved, “Goal 3 = OR (Goal 4, Goal 4). "5)" indicates that goal 3 is achieved when either goal 4 or goal 5 is achieved.

In addition, in the element data of “goal 3”, the element ID “T1” and the element type “task” are included in the element data “task 1” specified by the element ID “T1” described as conflicting inconsistency. , Description “task 1”, actor area “malicious medical staff”, upper relation “none”, lower relation “none”, simultaneous establishment contradiction “G3”, and simultaneous establishment duplication “none” are set.
Further, in the figure, it is assumed that a task t1, which is an element substantially equivalent to task 1, is included in the goal model generated by the analyst. The element data of the task t1 in the goal model information includes an element ID “T999”, an element type “task”, a description “task t1”, an actor area “malicious medical staff”, an upper relation “none”, and a lower relation “ “None”, simultaneous establishment contradiction “none”, and simultaneous establishment duplication “none” are set.

Next, the operation of the security requirement analysis support device 10 will be described.
FIG. 10 is a flowchart showing an outline of processing of the security request analysis support apparatus 10.
First, the goal model file input / output unit 11 of the security requirement analysis support device 10 reads a goal model file to be edited from the external storage device 20 (step S110). The goal model file to be edited is specified by, for example, a file name input by the input device 50. The goal model information storage unit 12 stores the goal model file read by the goal model file input / output unit 11 from the external storage device 20 as goal model information (step S120).

  Subsequently, the attacker model information generation unit 14 receives the goal model information from the goal model information storage unit 12 via the goal model information control unit 13 (step S130). The attacker model information generation unit 14 generates a search expression for searching a domain from terms included in the description of each element data in the goal model information, and outputs the search expression to the DB input / output unit 15 (step S140). The DB input / output unit 15 receives an input of a result of searching the common term DB 30 using the input search formula (step S150). The attacker model information generation unit 14 receives the input of the domain search result in step S150 from the DB input / output unit 15.

  Subsequently, the goal model information storage unit 12 generates a search expression for searching for the attacker model data as an attacker model candidate from the result received in step S150, and outputs it to the DB input / output unit 15 (step). S160). The DB input / output unit 15 receives the result of searching the attack DB 40 using the input search formula (step S170). The attacker model information generation unit 14 receives the attacker model search result input in step S180 from the DB input / output unit 15.

  When the attacker model information generation unit 14 receives an input of the search result of the attacker model data from the DB input / output unit 15, the attacker model data is combined into an attacker model candidate group (step S180). When the attacker model candidate group generated by the attacker model information generation unit 14 is input to the goal model information control unit 13 (step S190), the goal model information control unit 13 The attacker model candidate specified by the attacker model data is output to the goal model information display unit 16. When the attacker model data is input, the goal model information display unit 16 sequentially displays the attacker model candidates indicated by the data, and inputs necessary / unnecessary information of the attacker model candidates displayed by the input device 50. (Step S200). As a result, the goal model information control unit 13 adds the attacker model data of the attacker model candidate that has been input as necessary to the current goal model information and writes it to the goal model information storage unit 12.

  When necessity is selected for all the attacker model data in the attacker model candidate group and a save instruction is input by the input device 50, the goal model file input / output unit 11 reads the goal model information storage unit 12 from the goal model information storage unit 12. An input of model information is received (step S210). The goal model file input / output unit 11 outputs the goal model file in which the input goal model information is set to the external storage device 20 (step S220). The external storage device 20 stores the goal model file input from the goal model file input / output unit 11.

FIG. 11 is a flowchart of processing executed in the attacker model information generation unit 14 in the security request analysis support apparatus 10.
The goal model information input / output unit 14a of the attacker model information generation unit 14 receives the input of the goal model information read from the goal model information storage unit 12 by the goal model information control unit 13 in step S130 of FIG. 10 (step S310). ). The lexical extraction unit 14c extracts the attribute of each element from the goal model information input in step S310. Specifically, the lexical extraction unit 14c reads the description information from each element data included in the goal model information, and extracts the phrase included in the description information (step S320). For example, in the case of the goal model of FIG. 1, phrases such as an actor description “medical clerk”, “doctor”, “patient”, a task description “karte”, and “management” are extracted.

  The lexical extraction unit 14c includes a search expression K1 for reading the synonym of the extracted word and a word stored in correspondence with the domain name among the domain names registered in the common term DB 30. A search formula K2 for reading out the extracted word / phrase having the largest number of synonyms acquired by the search formula K1 is generated. The control unit 14b outputs the search formulas K1 and K2 generated by the lexical extraction unit 14c to the DB input / output unit 15, and the DB input / output unit 15 receives a search result based on the search formula K2 obtained from the common term DB 30. The control unit 14b outputs the search result information of the search formula K2 received from the DB input / output unit 15 to the lexical extraction unit 14c (step S330).

  For example, in the case of the goal model shown in FIG. 1, the synonym “medical staff” corresponding to the extracted phrase “medical clerk” is read out by the search formula K1. Subsequently, the search expression K2 includes the most frequently included words in any one of “medical clerk”, “doctor”, “patient”, “management”, and “medical staff” among all domains. A domain is searched, and as a result, a “medical domain” in which three phrases “doctor”, “patient”, and “medical staff” are associated is obtained as a search result.

  The lexical extraction unit 14c generates a search formula K3 for reading attacker model data corresponding to the domain indicated by the input search result. The control unit 14b outputs the search formula K3 generated by the lexical extraction unit 14c to the DB input / output unit 15, and the DB input / output unit 15 receives a search result based on the search formula K3 obtained from the common term DB 30. The control unit 14b outputs information on the search result of the search formula K3 received from the DB input / output unit 15 to the attack model generation unit 14d (step S340).

  The attack model generation unit 14d sets a set of all attacker model data indicated by the search result of the search expression K3 input in step S340 as an attacker model candidate group. Then, referring to the current goal model information and each attacker model data in the attacker model candidate group, if there are redundant or overlapping elements, the attacker model candidate tree indicated by the attacker model data Or the attacker model data itself is deleted. The attack model generation unit 14d uses the attacker model data that has no redundant or overlapping elements and the attack model has not been corrected, or the attacker model data obtained by reconstructing the attack model because there are redundant or overlapping elements. It outputs to the goal model information control part 13 (step S350, step S360: NO).

  The goal model information control unit 13 instructs the goal model information display unit 16 to display the attacker model candidates indicated by the inputted attacker model data. At this time, the element indicated by the element data is displayed in the actor area indicated by each element data of the attacker model data. The goal model information control unit 13 receives input of necessary / unnecessary information of an attacker model candidate displayed by the goal model information display unit 16. Then, the attacker model data of the attacker model candidate to which the key is input is written in the goal model information storage unit 12 as goal model information. The attack model generation unit 14d determines whether or not it is necessary to reconstruct the attacker model data included in all the attacker model candidate groups, and determines whether or not reconstruction is necessary. If the attacker model data is completed, the process ends (step S360: YES).

FIG. 12 is a flowchart of candidate tree reconstruction processing for an attacker model candidate executed in step S350 of FIG.
The attack model generation unit 14d reads out information on whether or not element data of an element equivalent to the element is registered in the attack DB 40 for all elements included in each actor in the current goal model (step S410). ). Specifically, first, among the elements of the goal model information, an element having the same value as the element that cannot be simultaneously established is identified. That is, the attack model generation unit 14 d reads the description data from each element data in the goal model information stored in the goal model information storage unit 12. Then, a search expression K4 for searching for synonyms of the phrase indicated by the read description data is generated. The control unit 14b outputs the search expression K4 generated by the attack model generation unit 14d to the DB input / output unit 15. In the control unit 14b, the DB input / output unit 15 receives an input of the synonym search result acquired from the common term DB 30 by the search formula K4, and outputs it to the attack model generation unit 14d.

The attack model generation unit 14d generates a search formula K5 for reading out the element data that cannot be simultaneously established in which the synonym indicated by the synonym search result is set as the description data. The control unit 14b outputs the search expression K5 generated by the attack model generation unit 14d to the DB input / output unit 15. In the control unit 14b, the DB input / output unit 15 receives an input of the search result of the simultaneous dissatisfiable element data acquired from the attack DB 40 by the search formula K5, and outputs it to the attack model generation unit 14d.
In this way, when element data that cannot be simultaneously established indicating an element having the same value as the element included in the goal model is obtained, the element ID is read from the simultaneous establishment contradiction and the simultaneous establishment overlap of the element that cannot be simultaneously established. Save to internal memory.

  In FIG. 11, the search formula K3 for reading the attacker model data corresponding to the domain and the information on simultaneous establishment contradiction and simultaneous establishment overlap in the attacker model data read by the search formula K3 are specified. You may make it output search formula K5 'for reading the element data which cannot be formed simultaneously to attack DB40. In this case, the attack model generation unit 14d uses the simultaneous dissatisfiable element data in which the synonym indicated by the synonym search result is set in the description data from among the simultaneous dissatisfiable element data obtained as the search result of the search formula K5 ′. What is necessary is just to specify.

  Taking FIG. 9 as an example, it is assumed that a task (element ID “T999”) with the description “task t1” is included in the already created goal model. At this time, the description “task t1” is read from the element data included in the goal model information, and the search result including the synonym “task 1” of “task t1” is read from the common term DB 30. This synonym “task 1” is set in the description, and the element of the element data “element ID“ T1 ”) having the same element type“ task ”and the actor area“ malicious medical staff ”cannot be formed simultaneously is“ task It is determined that “t1” is equivalent to the goal model task (element ID “T999”) set in the description. The simultaneous establishment contradiction element ID “G3” read from the simultaneous establishment impossible element data (element ID “T1”) determined to be the same value is stored in the memory in the attack model generation unit 14d.

  Next, the attack model generation unit 14d determines whether any element data in the attacker model data is specified by the element ID held in the memory in step S410 (step S420). If there is element data specified by the element ID held in the memory, the upper relation of the corresponding node is determined from the upper relation information in the element data (step S430).

  If it is determined in step S430 that the upper relationship is “none” or “OR”, all the nodes in the lower hierarchy of the node corresponding to the element and the attacker model having the shape in which the own node is deleted are displayed. The attacker model data to be represented is generated (step S440). Specifically, when the element data is deleted from the element data in the attacker model data, and the element ID is described in the lower related information in the deleted element data, it is specified by the element ID. If the element ID is described in the lower related information in the deleted element data, the process repeatedly deletes all the element data specified by the element ID. .

  On the other hand, if it is determined in step S430 that the upper relationship is “AND”, the parent node of the node to which the element corresponds, all the nodes in the same hierarchy as the node to which the element corresponds, and the node to which the element corresponds to All the nodes in the lower hierarchy and the attacker model data representing the attacker model having the shape in which the own node is deleted are generated (step S450). Specifically, the element data is deleted from the element data in the attacker model data, and specified by the element IDs of the upper and lower elements described in the upper related information of the deleted element data. Delete all element data. Further, when the element ID is described in the lower-level related information in the deleted element data, all the element data specified by the element ID are deleted, and further, the lower-level related information in the deleted element data is deleted. When the element ID is described in the information, the deletion of all the element data specified by the element ID is repeated until the lower related information becomes “none”.

  The attack model generation unit 14d outputs the attacker model data indicating the attacker model reconstructed in Step S440 or Step S450 to the goal model information control unit 13 (Step S460). The goal model information control unit 13 causes the goal model information display unit 16 to display the attacker model indicated by the input attacker model data as a candidate.

  In addition, after the selection of the attacker model data is completed, if the goal model is edited again and a node is added, the attacker model data update instruction is input when the node is added or after the node is added. At the same timing, the element data of the newly added node is identified again by the same procedure as in step S410 in FIG. Then, for the attacker model data stored in the goal model information storage unit 12, that is, once selected by the user, an element having the same value as the element of the newly added node is obtained by the same procedure as in FIG. Confirm the simultaneous establishment with the element data that cannot be formed simultaneously. If the malicious goal is not achieved when elements that are not simultaneously established are deleted, the attacker model data is deleted from the goal model information storage unit 12 and the goal model displayed by the goal model information display unit 16 Clear the display of attacker model data. In addition, if the malicious goal is achieved even when elements that do not hold simultaneously are deleted, the attacker model that deleted and reconstructed the elements that did not hold when the elements were deleted Is replaced with the current attacker model data in the goal model information storage unit 12, and the current attack displayed on the goal model information display unit 16 based on the attacker model data before the replacement. By instructing the display of the model to be changed to the display of a new goal model indicated by the replaced attacker model data, the display of the deleted element is deleted. Thereby, the element of the inconsistent and redundant attacker model data can be deleted even for the newly added node.

  According to the above-described embodiment, there is an effect that in the security requirement analysis, there is an increased possibility that an attack that is easily forgotten can be found. At this time, unnecessary analysis is removed, so that analysis efficiency is increased. In addition, duplication and contradiction of elements can be verified in the goal model creation process. As a result, the reliability (coverage and validity) of security-related requirements analysis is enhanced, and even a novice can easily support security requirements analysis. In addition, the processing cost can be reduced.

  The security requirement analysis support device 10, the external storage device 20, the common term DB 30, and the attack DB 40 described above have a computer system inside. The operation processes of the external storage device 20, the common term DB 30, and the attack DB 40 of the security requirement analysis support device 10 are stored in a computer-readable recording medium in the form of a program, and the computer system reads this program. The above processing is performed by executing the above. Here, the computer system includes a CPU, various memories, an OS, and hardware such as peripheral devices.

Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.
The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Furthermore, the “computer-readable recording medium” dynamically holds a program for a short time like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line. In this case, a volatile memory in a computer system serving as a server or a client in that case, and a program that holds a program for a certain period of time are also included. The program may be a program for realizing a part of the functions described above, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system.

It is a figure for demonstrating the operation | movement outline | summary of the security requirement analysis assistance apparatus by one embodiment of this invention. It is a figure for demonstrating the process outline | summary of the attacker model reconstruction in the security requirement analysis assistance apparatus by the embodiment. It is a functional block diagram of the security requirement analysis support device by the embodiment. The functional block diagram in the attacker model information generation part of the security requirement analysis assistance device by the embodiment is shown. It is a figure which shows the information memorize | stored in the external storage device by the embodiment. It is a figure which shows the goal model file by the embodiment. It is a figure which shows the information which common term DB by the same embodiment hold | maintains. It is a figure which shows the information which attack DB by the same embodiment hold | maintains. It is a figure which shows the example of the element data contained in the attacker model data by the embodiment, and the element data in which simultaneous establishment is contradictory. It is a flowchart which shows the process outline | summary in the security requirement analysis assistance apparatus by the embodiment. It is a flowchart of the process in the attacker model information generation part in the security requirement analysis assistance apparatus by the embodiment. It is a flowchart of the candidate tree reconstructing process in the attacker model information generating unit in the security requirement analysis support device according to the embodiment. An example of goal model analysis using prior art goal-oriented requirement analysis is shown. FIG. 4 shows a process extended by the prior art. The example of the goal model produced | generated by the process shown in FIG. 14 is shown. The example of the goal model produced | generated by the process shown in FIG. 14 is shown. It is a figure which shows the example when a redundant element is contained in the goal model.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Security requirement analysis support apparatus 11 ... Goal model file input / output part 12 ... Goal model information storage part 13 ... Goal model information control part 14 ... Attacker model information generation part 14a ... Goal model information input / output part 14b ... Control part 14c ... Lexical extraction unit 14d ... Attack model generation unit 15 ... DB input / output unit 16 ... Goal model information display unit 20 ... External storage device 30 ... Common term DB
40 ... Attack DB
50 ... Input device

Claims (5)

By presenting a candidate model of an attacker that threatens security to a goal model that includes the goal to be achieved by the development system and the goal or task to achieve the goal, or one or more of the resources as elements. A security requirement analysis support device for supporting security analysis,
A goal model information storage unit that stores goal model data indicating information on the elements constituting the goal model and the dependencies between the elements;
Elements that achieve the malicious goal, which is the goal that the malicious attacker is aiming for, and the attacker model indicated by the dependency between the elements, and the elements that make up the attacker model due to contradiction or duplication An attack database that stores attacker model data consisting of information on elements that are not simultaneously established in association with a domain,
A database input / output unit that reads attacker model data corresponding to information of a domain to which the goal model belongs, from the attack database;
Based on the information on the non-concurrent elements indicated by the attacker model data read by the database input / output unit and the information on the elements indicated by the goal model data in the goal model information storage unit, from among the attacker model data The attacker model data that includes an element that does not hold simultaneously with the element indicated by the goal model data is identified, and further, from the information of the element indicated by the identified attacker model data and the dependency relationship between the elements. Determining whether the malicious goal is achieved when the elements that are not simultaneously established are deleted, and if the malicious goal is achieved even when the elements that are not simultaneously established are deleted, the attacker model data is The element that is not simultaneously established from the attacker model indicated by the attacker model data is deleted and the element is not established. And attacker model information generating unit that changes to indicate a new attacker model removing an element,
The attacker model information determined by the attacker model information generation unit as not including elements that are not simultaneously established with the elements indicated by the goal model data, and the attacker models indicated by the changed attacker model data A goal model information control unit that instructs to display
A security requirement analysis support apparatus comprising: A common term database that stores information on words corresponding to the domain and similar words of the words;
The element information in the goal model data includes descriptive information indicating an explanation of the element,
The attacker model information generation unit extracts a phrase used in the description of the element from information on the element indicated by the goal model data in the goal model information storage unit,
The database input / output unit assigns, as the domain to which the goal model belongs, a domain in which words extracted by the attacker model information generation unit and similar words of the extracted words are associated with the common term database Read from the
The security requirement analysis support device according to claim 1, wherein: The attack database further stores element data that cannot be simultaneously formed including at least information of a description indicating an element that is not simultaneously formed with an element included in the attacker model;
Further comprising a common term database for storing synonyms of words included in the description of elements that are not simultaneously established with elements included in the attacker model,
The database input / output unit reads from the common term database information on synonyms of words and phrases used in the description of the element indicated by the goal model data in the goal model information storage unit, and the element data that cannot be simultaneously established. Read from the attack database,
The attacker model information generation unit receives the synonym information read by the database input / output unit and the element data that cannot be simultaneously established, and the synonym is included in the description of the element data that cannot be simultaneously established. Unsuccessful element data is identified, and from the attacker model candidate group, the attacker model data including the data of the elements that are not simultaneously represented as indicated by the identified simultaneously unsatisfiable element is represented by the goal model data. Judge that it is attacker model data that contains elements that do not hold simultaneously with the elements shown.
The security requirement analysis support device according to claim 1, wherein: The goal model information storage unit stores information on the attacker model data selected by the user from the attacker model data whose output is instructed by the goal model information control unit,
When an element is added to the goal model, the attacker model information generation unit is newly based on information on the elements that are not simultaneously established indicated by the attacker model data stored in the goal model information storage unit. Identifies attacker model data that contains data of elements that are not established at the same time as the added elements, and establishes them simultaneously from the information indicated by the identified attacker model data and the dependency between the elements. It is determined whether or not a malicious goal is achieved when the element is deleted, and if the malicious goal is not achieved, the attacker model data is deleted from the goal model information storage unit and not simultaneously established If the malicious goal is achieved even when the element is deleted, the identified attacker model data is extracted from the attacker model indicated by the attacker model data. Deletes the established non relevant elements when changes to indicate a new attacker model removing an element that does not hold when deleting the element,
The goal model information control unit erases the attacker model indicated by the attacker model data deleted by the attacker model information generation unit from the display and changes the display of the attacker model before the change. Instruct to change to the display of the new attacker model indicated by the model data.
The security requirement analysis support device according to claim 1, wherein: By presenting a candidate model of an attacker that threatens security to a goal model that includes the goal to be achieved by the development system and the goal or task to achieve the goal, or one or more of the resources as elements. A computer used as a security requirement analysis support device for supporting security analysis,
A goal model information storage unit for storing goal model data indicating information on elements constituting the goal model and dependencies between the elements;
Elements that achieve the malicious goal, which is the goal that the malicious attacker is aiming for, and the attacker model indicated by the dependency between the elements, and the elements that make up the attacker model due to contradiction or duplication An attack database that stores attacker model data consisting of information about elements that do not hold simultaneously with the domain,
A database input / output unit for reading attacker model data corresponding to information of a domain to which the goal model belongs, from the attack database;
Based on the information on the non-concurrent elements indicated by the attacker model data read by the database input / output unit and the information on the elements indicated by the goal model data in the goal model information storage unit, from among the attacker model data The attacker model data that includes an element that does not hold simultaneously with the element indicated by the goal model data is identified, and further, from the information of the element indicated by the identified attacker model data and the dependency relationship between the elements. Determining whether the malicious goal is achieved when the elements that are not simultaneously established are deleted, and if the malicious goal is achieved even when the elements that are not simultaneously established are deleted, the attacker model data is The element that is not simultaneously established from the attacker model indicated by the attacker model data is deleted and the element is not established. An attacker model information generating unit that changes to indicate a new attacker model removing an element,
The attacker model information determined by the attacker model information generation unit as not including elements that are not simultaneously established with the elements indicated by the goal model data, and the attacker models indicated by the changed attacker model data Goal model information control unit that instructs to display
A computer program that functions as a computer program.

Images